ID. Date of interview 
date 42/92/20 


ID. Time interview started 
start 46:99:33 


ID.end Completion date of interview 
Date 42/02/20 


ID.end Time interview ended 
16:59:42 


ID. Duration of interview 
time 5715 


new case 


ICO consultation on the draft right of access 
guidance 


Q1 


Does the draft guidance cover the relevant issues about the right of access? 
© Yes 
©) No 

©) Unsure / don't know 

If no or unsure/don’t know, what other issues would you like to be covered in it? 


Q2 


Does the draft guidance contain the right level of detail? 


© Yes 
©) No 

©) Unsure / don't know 

If no or unsure/don't know, in what areas should there be more detail within the draft 
guidance? 


Q3 


Does the draft guidance contain enough examples? 
© Yes 
—) No 

©) Unsure / don't know 

If no or unsure/don’t know, please provide any examples that think should be included in 
the draft guidance. 


Q4 


We have found that data protection professionals often struggle with applying and 
defining ‘manifestly 

unfounded or excessive’ subject access requests. We would like to include a wide 

range of examples 

from a variety of sectors to help you. Please provide some examples of manifestly 
unfounded and excessive 

requests below (if applicable). 


Article 12 refers to requests from a data subject that are manifestly unfounded or 
excessive, in particular because of their repetitive character. The examples should 
not relate exclusively to repetitive requests. The term “excessive” in its common 
usage could apply to a request that is unreasonable in terms of its proportionality, 
taking into account the nature of the processing, the scope of the searches involved 
and the burden of locating, extracting, reviewing and redacting the data. Elsewhere 
in this guidance it is stated that “You should keep a record of the date you 
responded and what information you provided.” There seems to be little reason to 
refuse a request on the grounds the information has previously been provided, if the 
previous response can simply be sent again. The reasoning behind allowing refusal 
of repetitive requests might be due to the cumulative burden of locating and 
extracting the personal data where the requests do not overlap, which would also 
link to the reference in Recital 63 that the controller should be able to request 
clarification before the information is delivered. If a request (or the search 
required) may be so burdensome as to require a clarification, then it seems 
unreasonable for such a request to be split into multiple separate requests if the 
burden imposed by the original request remains excessive. An example might 
involve a long term employee, whose name could appear in many disparate records 
and emails connected with the business, which in isolation have little to do with the 
employee personally. These records would not be stored or easily searched for by 
reference to the employee, as the employee is not their primary focus. If the 
employee sought every piece of data that related to them in some way, and refused 
to meaningfully narrow or focus the request, the burden of sifting, sorting and 
redacting may be quite disproportionate to the intention of Article 15. Recital 63 
gives the purpose of the right of access as being in order to be aware of, and verify, 
the lawfulness of the processing. It may be appropriate to balance this against any 
decision as to whether the request is excessive. Another example might be where 
an individual already has the means to access the personal data themselves. This 
might include copies of correspondence between the data subject and the controller. 


Q5 


Q6 


Q7 


On a scale of 1-5 how useful is the draft guidance? 


1-Notatall 2-—Slightly | Moderately 4-Very 5-Extremely 
useful useful useful useful useful 


Why have you given this score? 


It is very helpful to have a document set out the ICO's position on interpretation of 
the law and the practical elements involved in answering a request. The document is 
also useful to data subjects, because the data controller can quote relevant sections 
and include a link to the guidance when explaining its decisions to the data subject, 


and the data subject can use the guidance to assess whether the data controller has 
acted fairly and lawfully. 


To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Neither agree Strongly 
disagree Disagree nor disagree Agree agree 


i © 


Q8 


Q9 


Please provide any further comments or suggestions you may have about the draft 
guidance. 


One example of a complex request might be where the data controller identifies a 
need to carry out further searches that were not apparent when the request was 
first assessed. For example, a resident may have made a broad SAR to their local 
authority. It may only become apparent when the initial data has been extracted a 


and reviewed that a complaint was escalated to the Ombudsman and subsequently 
became the subject of a compensation claim. 


Are you answering as: 


O An individual acting in a private capacity (eg someone providing their views as a member of the public) 
(`) An individual acting in a professional capacity 

© On behalf of an organisation 

€ ) Other 

Please specify the name of your organisation: 

Transport for London 


What sector are you from: 
Public Sector Transport 


Q10 How did you find out about this survey? 
©) ICO Twitter account 
(|) ICO Facebook account 
©) ICO LinkedIn account 
© ICO website 
©) ICO newsletter 
C) ICO staff member 
C) Colleague 
©) Personal/work Twitter account 
(`) Personal/work Facebook account 
() Personal/work LinkedIn account 
O Other 
If other please specify: 


